MetaPHOR
MetaPHOR is a metamorphic virus by 29A coder The Mental Driller. The original infects only Windows 32-bit files, but a later variant of this virus was a cross-platfom infector capable of also infecting Linux ELF files. The Mental Driller created this virus with the intent of adding many new features to it. He intended early on to create a variant that could infect Linux. While it has yet to materialize, a cross-CPU infector is also a possibility for this virus. Behavior When a file infected with MetaPHOR is executed and the virus takes control, it runs the polymorphic decryptor (unless the virus is unencrypted, as the virus is programmed to produce an unencrypted copy every few infections). The decryptor allocates 3.5 megabytes of memory and uses it to decipher the the body of the virus. Unlike most other decryptors which decrypt the virus linearly, this decryptor uses "pseudo-random index decryption" (a term coined by The Mental Driller) to decrypt it in a seemingly random order. This is an effort to hide from decryption heuristic scanners. When the actual virus is executed, it checks for the 20 API's it needs for replicating and displaying its messages. It then checks the date to see if it should display the messages. MetaPHOR then generates a new virus body in memory. It starts with an intermediate form of itself that is independent of the operating system or CPU. It removes any redundant instructions from the previous infection, shrinking this new form. It then changes this form by reordering some subroutines and moving parts of the virus code then linking them with jump instructions. It then randomly adds redundant, unused instructions. This form is then reassembled into the form native to the CPU and OS that will be added to .exe files. MetaPHOR looks for all .exe folders in the current directory, then checks all fixed and mapped network drives. It checks several things before it infects a file. The virus avoids infecting files beginning with the characters PA, F-, SC, DR or NO, or if the letter V is found anywhere in the file. It avoids infecting files in directories beginning with the letter W. Because of the method it uses to match these characters, files that begin with FM or contain the number 6 will also be avoided, along with directories beginning with the number 7. It also avoids goat files. The file must have a checksum, be an executable for 386 and above processors, and have sections named .text and .data. After passing these checks, MetaPHOR infects the file. If the name of the last section is .reloc, the virus adds itself to the beginning of the data section of the file and updates the file's offsets. If there is no .reloc, the virus will be placed in a random section of the file. There is also a small chance it may do this even when there is a .reloc section. It displays a message box on the 17th of March, June, September and December with the text "MetaPHOR v1 by The Mental Driller/29A". The letters may be lower or upper case, which the virus decides randomly for each letter. On the 14th of May, if the system locale is set to Hebrew, it displays a message box with the text "Free Palestine". Variants In addition to the original, The Mental Driller created two variants of the virus. There is also a variant coded by someone else, sometimes called the "Unofficial C variant". MetaPHOR.D, which can infect both Windows and Linux executables, may sometimes be called the "Official C variant". MetaPHOR.B replaces "V1" in the metamorphic message it displays with "1b". MetaPHOR.C (the "unofficial" C variant) was not coded by The Mental Driller replaces the whole message with "Deutsche Telekom@by@Energy rpp2@g". MetaPHOR.D MetaPHOR.D (also known as the official MetaPHOR.C variant and named MetaPHOR 1C by The Mental Driller) is capable of infecting both Windows .exe and Linux ELF executables. Its infection length is around 110 kilobytes, but can vary widely because of the metamorphic engine. Unlike Winux, the first cross-platform Windows/Linux infector which uses two different infection routines for ELF and .exe files, MetaPHOR.D uses mostly the same code between the two infections. Name The Mental driller named it MetaPHOR from the words "Metamorphic Permutating High-Obfuscating Reassembler", which accurately describes this virus. He was going to name it "Metastasis", but someone in his family got cancer, and he did not want to trivialize the suffering of people with cancer. He went with MetaPHOR, which he later thought was a perfect name, since every generation of the virus would be a "metaphor" of the previous one. Effects While MetaPHOR was never released into the wild, it was published in 29A magazine, meaning someone could assemble the file and release it. Most antivirus products have detections for this virus to prevent a possible outbreak. F-Secure antivirus detected several non-infected files as being MetaPHOR-infected, including a Visio .dll, a Norton Utilities .dll and a Lexmark printer driver. Category:29A Category:Assembly Category:Virus Category:Win32 virus Category:Win32 Category:Microsoft Windows Category:Linux Category:Linux virus Category:Metamorphic virus